| Message ID | 20180820103930.32455-1-nuno.mcvmorais@gmail.com |
|---|---|
| State | Changes Requested |
| Delegated to: | John Crispin |
| Headers | show |
| Series | [OpenWrt-Devel] ustream-ssl: add optional mutual authentication (mTLS) | expand |
On 20/08/18 12:39, Nuno Morais wrote: > For B2B applications, mutual authentication of peers is a requirement. > > Add operation to enable / disable peer authentication > adding a new operation to the ustream_ssl_ops struct > using "SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT", > and "MBEDTLS_SSL_VERIFY_REQUIRED". Hi, 2 nitpicks inline > Signed-off-by: Nuno Morais <nuno.mcvmorais@gmail.com> > --- > ustream-internal.h | 1 + > ustream-mbedtls.c | 10 ++++++++++ > ustream-openssl.c | 12 ++++++++++++ > ustream-ssl.c | 1 + > ustream-ssl.h | 2 ++ > 5 files changed, 26 insertions(+) > > diff --git a/ustream-internal.h b/ustream-internal.h > index a8c534f..923e9d2 100644 > --- a/ustream-internal.h > +++ b/ustream-internal.h > @@ -41,6 +41,7 @@ struct ustream_ssl_ctx *__ustream_ssl_context_new(bool server); > int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file); > int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file); > int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file); > +int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth); > void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx); > enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us); > int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len); > diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c > index 347c600..d859a08 100644 > --- a/ustream-mbedtls.c > +++ b/ustream-mbedtls.c > @@ -217,6 +217,16 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char > return 0; > } > > +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth) > +{ > + if(mutual_auth) missing space betwen if and ( at various places inside the patch. > + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_REQUIRED); > + else > + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL); > + > + return 0; > +} > + > __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) > { > #if defined(MBEDTLS_SSL_CACHE_C) > diff --git a/ustream-openssl.c b/ustream-openssl.c > index 7c72ce1..585e526 100644 > --- a/ustream-openssl.c > +++ b/ustream-openssl.c > @@ -154,6 +154,18 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char > return 0; > } > > +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth) > +{ > + > + if(mutual_auth) > + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); unneeded space between (void *) and ctx at various places inside the patch John > + else > + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_NONE, NULL); > + > + return 0; > + > +} > + > __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) > { > SSL_CTX_free((void *) ctx); > diff --git a/ustream-ssl.c b/ustream-ssl.c > index dd0faf9..ad80925 100644 > --- a/ustream-ssl.c > +++ b/ustream-ssl.c > @@ -208,6 +208,7 @@ const struct ustream_ssl_ops ustream_ssl_ops = { > .context_set_crt_file = __ustream_ssl_set_crt_file, > .context_set_key_file = __ustream_ssl_set_key_file, > .context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file, > + .context_set_mutual_auth = __ustream_ssl_set_mutual_auth, > .context_free = __ustream_ssl_context_free, > .init = _ustream_ssl_init, > .set_peer_cn = _ustream_ssl_set_peer_cn, > diff --git a/ustream-ssl.h b/ustream-ssl.h > index 7787788..3eb24ae 100644 > --- a/ustream-ssl.h > +++ b/ustream-ssl.h > @@ -52,6 +52,7 @@ struct ustream_ssl_ops { > int (*context_set_crt_file)(struct ustream_ssl_ctx *ctx, const char *file); > int (*context_set_key_file)(struct ustream_ssl_ctx *ctx, const char *file); > int (*context_add_ca_crt_file)(struct ustream_ssl_ctx *ctx, const char *file); > + int (*context_set_mutual_auth)(struct ustream_ssl_ctx *ctx, int mutual_auth); > void (*context_free)(struct ustream_ssl_ctx *ctx); > > int (*init)(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server); > @@ -64,6 +65,7 @@ extern const struct ustream_ssl_ops ustream_ssl_ops; > #define ustream_ssl_context_set_crt_file ustream_ssl_ops.context_set_crt_file > #define ustream_ssl_context_set_key_file ustream_ssl_ops.context_set_key_file > #define ustream_ssl_context_add_ca_crt_file ustream_ssl_ops.context_add_ca_crt_file > +#define ustream_ssl_context_set_mutual_auth ustream_ssl_ops.context_set_mutual_auth > #define ustream_ssl_context_free ustream_ssl_ops.context_free > #define ustream_ssl_init ustream_ssl_ops.init > #define ustream_ssl_set_peer_cn ustream_ssl_ops.set_peer_cn
diff --git a/ustream-internal.h b/ustream-internal.h index a8c534f..923e9d2 100644 --- a/ustream-internal.h +++ b/ustream-internal.h @@ -41,6 +41,7 @@ struct ustream_ssl_ctx *__ustream_ssl_context_new(bool server); int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file); int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file); int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file); +int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth); void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx); enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us); int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len); diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 347c600..d859a08 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -217,6 +217,16 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char return 0; } +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth) +{ + if(mutual_auth) + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_REQUIRED); + else + mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + + return 0; +} + __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) { #if defined(MBEDTLS_SSL_CACHE_C) diff --git a/ustream-openssl.c b/ustream-openssl.c index 7c72ce1..585e526 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -154,6 +154,18 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char return 0; } +__hidden int __ustream_ssl_set_mutual_auth(struct ustream_ssl_ctx *ctx, int mutual_auth) +{ + + if(mutual_auth) + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + else + SSL_CTX_set_verify((void *) ctx, SSL_VERIFY_NONE, NULL); + + return 0; + +} + __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) { SSL_CTX_free((void *) ctx); diff --git a/ustream-ssl.c b/ustream-ssl.c index dd0faf9..ad80925 100644 --- a/ustream-ssl.c +++ b/ustream-ssl.c @@ -208,6 +208,7 @@ const struct ustream_ssl_ops ustream_ssl_ops = { .context_set_crt_file = __ustream_ssl_set_crt_file, .context_set_key_file = __ustream_ssl_set_key_file, .context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file, + .context_set_mutual_auth = __ustream_ssl_set_mutual_auth, .context_free = __ustream_ssl_context_free, .init = _ustream_ssl_init, .set_peer_cn = _ustream_ssl_set_peer_cn, diff --git a/ustream-ssl.h b/ustream-ssl.h index 7787788..3eb24ae 100644 --- a/ustream-ssl.h +++ b/ustream-ssl.h @@ -52,6 +52,7 @@ struct ustream_ssl_ops { int (*context_set_crt_file)(struct ustream_ssl_ctx *ctx, const char *file); int (*context_set_key_file)(struct ustream_ssl_ctx *ctx, const char *file); int (*context_add_ca_crt_file)(struct ustream_ssl_ctx *ctx, const char *file); + int (*context_set_mutual_auth)(struct ustream_ssl_ctx *ctx, int mutual_auth); void (*context_free)(struct ustream_ssl_ctx *ctx); int (*init)(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server); @@ -64,6 +65,7 @@ extern const struct ustream_ssl_ops ustream_ssl_ops; #define ustream_ssl_context_set_crt_file ustream_ssl_ops.context_set_crt_file #define ustream_ssl_context_set_key_file ustream_ssl_ops.context_set_key_file #define ustream_ssl_context_add_ca_crt_file ustream_ssl_ops.context_add_ca_crt_file +#define ustream_ssl_context_set_mutual_auth ustream_ssl_ops.context_set_mutual_auth #define ustream_ssl_context_free ustream_ssl_ops.context_free #define ustream_ssl_init ustream_ssl_ops.init #define ustream_ssl_set_peer_cn ustream_ssl_ops.set_peer_cn
For B2B applications, mutual authentication of peers is a requirement. Add operation to enable / disable peer authentication adding a new operation to the ustream_ssl_ops struct using "SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT", and "MBEDTLS_SSL_VERIFY_REQUIRED". Signed-off-by: Nuno Morais <nuno.mcvmorais@gmail.com> --- ustream-internal.h | 1 + ustream-mbedtls.c | 10 ++++++++++ ustream-openssl.c | 12 ++++++++++++ ustream-ssl.c | 1 + ustream-ssl.h | 2 ++ 5 files changed, 26 insertions(+)